SQL 插入和提交 [英] SQL Insert and Submit

问题描述

当我执行这个查询时，它返回 false，这意味着查询是错误的.你能找出原因吗?

When I execute this query it returns false, which means the query is wrong. Can you figure out why?

$string1 = 'wee';
$string2 = 'wee'; 
$string3 = 'wee'; 
$string4 = 'wee';  

if (isset($_POST['submit'])) {  

    $query = "INSERT INTO data (book, title, content, author)
              VALUES ($string1, $string2, $string3, $string4)";          
    mysql_query($query, $con);    
}

但是，当我输入如下内容时，它返回 true 并正确插入:

However, when I put something that is like the following, it returns true and inserts correctly:

$query = "INSERT into data (book, title, content, author)
          VALUES ('wee', 'wee', 'wee', 'wee')";

另一个问题:当我提交时，查询似乎在执行时返回了两次，这意味着一条查询有两条记录.有人明白吗?

And another question: when I submit, it seems that the query is returning twice when executed which means two records with one query. Does anyone understand that?

如果您需要更多信息，请直接询问.

If you need more information, just ask.

提前致谢.

推荐答案

虽然这个问题似乎得到了解答，但您不应该直接在查询中使用用户输入，因为这会为 SQL 注入等漏洞打开漏洞(这很糟糕)

Although this question seems answered, you should not be using user input directly in queries as this opens holes for vulnerabilities like SQL Injection (and that's bad mmmay)

如果您查看 php.net 上的 mysql 页面(mysql_query) 页面说建议您使用像 PDO 这样的抽象层 (pdo-mysql)

If you look at the mysql page on php.net (mysql_query) the page says it is recommended you use an abstraction layer like PDO (pdo-mysql)

使用 PDO 将允许您将参数绑定到 sql 查询，以绕过在查询中使用用户输入的安全隐患.

Using PDO will allow you to bind parameters to your sql queries to bypass the security implications of using user input in your queries.

如果您不将参数绑定到您的查询中，您会过得很不愉快.

If you don't bind parameters to your queries, you're gonna have a bad time.

这篇关于SQL 插入和提交的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！